2 * Unix SMB/CIFS implementation.
3 * Authentication utility functions
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Andrew Bartlett 2001
6 * Copyright (C) Jeremy Allison 2000-2001
7 * Copyright (C) Rafal Szczesniak 2002
8 * Copyright (C) Volker Lendecke 2006
9 * Copyright (C) Michael Adam 2007
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* functions moved from auth/auth_util.c to minimize linker deps */
28 #include "lib/util_unixsids.h"
29 #include "system/passwd.h"
32 #include "../lib/util/memcache.h"
33 #include "../librpc/gen_ndr/netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
37 #include "lib/privileges.h"
39 /****************************************************************************
40 Check for a SID in an struct security_token
41 ****************************************************************************/
43 bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token )
48 return security_token_has_sid(token, sid);
51 bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid )
53 struct dom_sid domain_sid;
55 /* if we are a domain member, the get the domain SID, else for
56 a DC or standalone server, use our own SID */
58 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
59 if ( !secrets_fetch_domain_sid( lp_workgroup(),
61 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
62 "SID for domain [%s]\n", lp_workgroup()));
67 sid_copy( &domain_sid, get_global_sam_sid() );
69 sid_append_rid( &domain_sid, rid );
71 return nt_token_check_sid( &domain_sid, token );\
74 /******************************************************************************
75 Create a token for the root user to be used internally by smbd.
76 This is similar to running under the context of the LOCAL_SYSTEM account
77 in Windows. This is a read-only token. Do not modify it or free() it.
78 Create a copy if you need to change it.
79 ******************************************************************************/
81 NTSTATUS get_root_nt_token( struct security_token **token )
83 struct security_token *for_cache;
84 struct dom_sid u_sid, g_sid;
87 NTSTATUS status = NT_STATUS_OK;
89 cache_data = memcache_lookup_talloc(
90 NULL, SINGLETON_CACHE_TALLOC,
91 data_blob_string_const_null("root_nt_token"));
93 if (cache_data != NULL) {
94 *token = talloc_get_type_abort(
95 cache_data, struct security_token);
99 if ( !(pw = getpwuid(0)) ) {
100 if ( !(pw = getpwnam("root")) ) {
101 DBG_ERR("get_root_nt_token: both getpwuid(0) "
102 "and getpwnam(\"root\") failed!\n");
103 return NT_STATUS_NO_SUCH_USER;
107 /* get the user and primary group SIDs; although the
108 BUILTIN\Administrators SId is really the one that matters here */
110 uid_to_sid(&u_sid, pw->pw_uid);
111 gid_to_sid(&g_sid, pw->pw_gid);
113 status = create_local_nt_token(talloc_tos(), &u_sid, False,
114 1, &global_sid_Builtin_Administrators, token);
115 if (!NT_STATUS_IS_OK(status)) {
119 security_token_set_privilege(*token, SEC_PRIV_DISK_OPERATOR);
124 NULL, SINGLETON_CACHE_TALLOC,
125 data_blob_string_const_null("root_nt_token"), &for_cache);
132 * Add alias SIDs from memberships within the partially created token SID list
135 NTSTATUS add_aliases(const struct dom_sid *domain_sid,
136 struct security_token *token)
139 size_t i, num_aliases;
143 if (!(tmp_ctx = talloc_init("add_aliases"))) {
144 return NT_STATUS_NO_MEMORY;
150 status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
153 &aliases, &num_aliases);
155 if (!NT_STATUS_IS_OK(status)) {
156 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
161 for (i=0; i<num_aliases; i++) {
162 struct dom_sid alias_sid;
163 sid_compose(&alias_sid, domain_sid, aliases[i]);
164 status = add_sid_to_array_unique(token, &alias_sid,
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(0, ("add_sid_to_array failed\n"));
174 TALLOC_FREE(tmp_ctx);
178 /*******************************************************************
179 *******************************************************************/
181 static NTSTATUS add_builtin_administrators(struct security_token *token,
182 const struct dom_sid *dom_sid)
184 struct dom_sid domadm;
187 /* nothing to do if we aren't in a domain */
189 if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
193 /* Find the Domain Admins SID */
196 sid_copy( &domadm, get_global_sam_sid() );
198 if (dom_sid == NULL) {
199 return NT_STATUS_INVALID_PARAMETER_MIX;
201 sid_copy(&domadm, dom_sid);
203 sid_append_rid( &domadm, DOMAIN_RID_ADMINS );
205 /* Add Administrators if the user beloongs to Domain Admins */
207 if ( nt_token_check_sid( &domadm, token ) ) {
208 status = add_sid_to_array(token,
209 &global_sid_Builtin_Administrators,
210 &token->sids, &token->num_sids);
211 if (!NT_STATUS_IS_OK(status)) {
219 static NTSTATUS add_builtin_guests(struct security_token *token,
220 const struct dom_sid *dom_sid)
222 struct dom_sid tmp_sid;
226 * First check the local GUEST account.
228 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
230 if (nt_token_check_sid(&tmp_sid, token)) {
231 status = add_sid_to_array_unique(token,
232 &global_sid_Builtin_Guests,
233 &token->sids, &token->num_sids);
234 if (!NT_STATUS_IS_OK(status)) {
242 * First check the local GUESTS group.
244 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
246 if (nt_token_check_sid(&tmp_sid, token)) {
247 status = add_sid_to_array_unique(token,
248 &global_sid_Builtin_Guests,
249 &token->sids, &token->num_sids);
250 if (!NT_STATUS_IS_OK(status)) {
257 if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
261 if (dom_sid == NULL) {
262 return NT_STATUS_INVALID_PARAMETER_MIX;
266 * First check the domain GUESTS group.
268 sid_copy(&tmp_sid, dom_sid);
269 sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);
271 if (nt_token_check_sid(&tmp_sid, token)) {
272 status = add_sid_to_array_unique(token,
273 &global_sid_Builtin_Guests,
274 &token->sids, &token->num_sids);
275 if (!NT_STATUS_IS_OK(status)) {
285 static NTSTATUS add_local_groups(struct security_token *result,
288 NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
289 const struct extra_auth_info *extra,
293 if (info3->base.rid == (uint32_t)(-1)) {
294 /* this is a signal the user was fake and generated,
295 * the actual SID we want to use is stored in the extra
297 if (is_null_sid(&extra->user_sid)) {
298 /* we couldn't find the user sid, bail out */
299 DEBUG(3, ("Invalid user SID\n"));
300 return NT_STATUS_UNSUCCESSFUL;
302 sid_copy(sid, &extra->user_sid);
304 sid_copy(sid, info3->base.domain_sid);
305 sid_append_rid(sid, info3->base.rid);
310 NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
312 const struct netr_SamInfo3 *info3,
313 const struct extra_auth_info *extra,
314 struct security_token **ntok)
316 struct security_token *usrtok = NULL;
317 uint32_t session_info_flags = 0;
321 DEBUG(10, ("Create local NT token for %s\n",
322 info3->base.account_name.string));
324 usrtok = talloc_zero(mem_ctx, struct security_token);
326 DEBUG(0, ("talloc failed\n"));
327 return NT_STATUS_NO_MEMORY;
330 /* Add the user and primary group sid FIRST */
331 /* check if the user rid is the special "Domain Guests" rid.
332 * If so pick the first sid for the extra sids instead as it
333 * is a local fake account */
334 usrtok->sids = talloc_array(usrtok, struct dom_sid, 2);
337 return NT_STATUS_NO_MEMORY;
339 usrtok->num_sids = 2;
341 status = get_user_sid_info3_and_extra(info3, extra, &usrtok->sids[0]);
342 if (!NT_STATUS_IS_OK(status)) {
348 if (info3->base.primary_gid == (uint32_t)(-1)) {
349 /* this is a signal the user was fake and generated,
350 * the actual SID we want to use is stored in the extra
352 if (is_null_sid(&extra->pgid_sid)) {
353 /* we couldn't find the user sid, bail out */
354 DEBUG(3, ("Invalid group SID\n"));
356 return NT_STATUS_UNSUCCESSFUL;
358 sid_copy(&usrtok->sids[1], &extra->pgid_sid);
360 sid_copy(&usrtok->sids[1], info3->base.domain_sid);
361 sid_append_rid(&usrtok->sids[1],
362 info3->base.primary_gid);
365 /* Now the SIDs we got from authentication. These are the ones from
366 * the info3 struct or from the pdb_enum_group_memberships, depending
367 * on who authenticated the user.
368 * Note that we start the for loop at "1" here, we already added the
369 * first group sid as primary above. */
371 for (i = 0; i < info3->base.groups.count; i++) {
372 struct dom_sid tmp_sid;
374 sid_copy(&tmp_sid, info3->base.domain_sid);
375 sid_append_rid(&tmp_sid, info3->base.groups.rids[i].rid);
377 status = add_sid_to_array_unique(usrtok, &tmp_sid,
380 if (!NT_STATUS_IS_OK(status)) {
381 DEBUG(3, ("Failed to add SID to nt token\n"));
387 /* now also add extra sids if they are not the special user/group
389 for (i = 0; i < info3->sidcount; i++) {
390 status = add_sid_to_array_unique(usrtok,
394 if (!NT_STATUS_IS_OK(status)) {
395 DEBUG(3, ("Failed to add SID to nt token\n"));
401 status = add_local_groups(usrtok, is_guest);
402 if (!NT_STATUS_IS_OK(status)) {
403 DEBUG(3, ("Failed to add local groups\n"));
408 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
410 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
413 status = finalize_local_nt_token(usrtok, session_info_flags);
414 if (!NT_STATUS_IS_OK(status)) {
415 DEBUG(3, ("Failed to finalize nt token\n"));
424 /*******************************************************************
425 Create a NT token for the user, expanding local aliases
426 *******************************************************************/
428 NTSTATUS create_local_nt_token(TALLOC_CTX *mem_ctx,
429 const struct dom_sid *user_sid,
432 const struct dom_sid *groupsids,
433 struct security_token **token)
435 struct security_token *result = NULL;
438 uint32_t session_info_flags = 0;
439 struct dom_sid_buf buf;
441 DEBUG(10, ("Create local NT token for %s\n",
442 dom_sid_str_buf(user_sid, &buf)));
444 if (!(result = talloc_zero(mem_ctx, struct security_token))) {
445 DEBUG(0, ("talloc failed\n"));
446 status = NT_STATUS_NO_MEMORY;
450 /* Add the user and primary group sid */
452 status = add_sid_to_array(result, user_sid,
453 &result->sids, &result->num_sids);
454 if (!NT_STATUS_IS_OK(status)) {
458 /* For guest, num_groupsids may be zero. */
460 status = add_sid_to_array(result, &groupsids[0],
463 if (!NT_STATUS_IS_OK(status)) {
468 /* Now the SIDs we got from authentication. These are the ones from
469 * the info3 struct or from the pdb_enum_group_memberships, depending
470 * on who authenticated the user.
471 * Note that we start the for loop at "1" here, we already added the
472 * first group sid as primary above. */
474 for (i=1; i<num_groupsids; i++) {
475 status = add_sid_to_array_unique(result, &groupsids[i],
478 if (!NT_STATUS_IS_OK(status)) {
483 status = add_local_groups(result, is_guest);
484 if (!NT_STATUS_IS_OK(status)) {
488 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
490 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
493 status = finalize_local_nt_token(result, session_info_flags);
494 if (!NT_STATUS_IS_OK(status)) {
500 * It's ugly, but for now it's
501 * needed to add Builtin_Guests
502 * here, the "local" token only
503 * consist of S-1-22-* SIDs
504 * and finalize_local_nt_token()
505 * doesn't have the chance to
506 * to detect it need to
507 * add Builtin_Guests via
508 * add_builtin_guests().
510 status = add_sid_to_array_unique(result,
511 &global_sid_Builtin_Guests,
514 if (!NT_STATUS_IS_OK(status)) {
515 DEBUG(3, ("Failed to add SID to nt token\n"));
521 return NT_STATUS_SUCCESS;
528 /***************************************************
529 Merge in any groups from /etc/group.
530 ***************************************************/
532 static NTSTATUS add_local_groups(struct security_token *result,
536 uint32_t getgroups_num_group_sids = 0;
537 struct passwd *pass = NULL;
538 TALLOC_CTX *tmp_ctx = talloc_stackframe();
543 * Guest is a special case. It's always
544 * a user that can be looked up, but
545 * result->sids[0] is set to DOMAIN\Guest.
546 * Lookup by account name instead.
548 pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account());
552 /* For non-guest result->sids[0] is always the user sid. */
553 if (!sid_to_uid(&result->sids[0], &uid)) {
555 * Non-mappable SID like SYSTEM.
556 * Can't be in any /etc/group groups.
558 TALLOC_FREE(tmp_ctx);
562 pass = getpwuid_alloc(tmp_ctx, uid);
564 struct dom_sid_buf buf;
565 DBG_ERR("SID %s -> getpwuid(%u) failed, is nsswitch configured?\n",
566 dom_sid_str_buf(&result->sids[0], &buf),
568 TALLOC_FREE(tmp_ctx);
569 return NT_STATUS_NO_SUCH_USER;
574 TALLOC_FREE(tmp_ctx);
575 return NT_STATUS_UNSUCCESSFUL;
579 * Now we must get any groups this user has been
580 * added to in /etc/group and merge them in.
581 * This has to be done in every code path
582 * that creates an NT token, as remote users
583 * may have been added to the local /etc/group
584 * database. Tokens created merely from the
585 * info3 structs (via the DC or via the krb5 PAC)
586 * won't have these local groups. Note the
587 * groups added here will only be UNIX groups
588 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
589 * turns off winbindd before calling getgroups().
591 * NB. This is duplicating work already
592 * done in the 'unix_user:' case of
593 * create_token_from_sid() but won't
594 * do anything other than be inefficient
598 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
599 &gids, &getgroups_num_group_sids)) {
600 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
602 TALLOC_FREE(tmp_ctx);
603 return NT_STATUS_UNSUCCESSFUL;
606 for (i=0; i<getgroups_num_group_sids; i++) {
608 struct dom_sid grp_sid;
609 gid_to_sid(&grp_sid, gids[i]);
611 status = add_sid_to_array_unique(result,
615 if (!NT_STATUS_IS_OK(status)) {
616 DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
617 TALLOC_FREE(tmp_ctx);
621 TALLOC_FREE(tmp_ctx);
625 NTSTATUS finalize_local_nt_token(struct security_token *result,
626 uint32_t session_info_flags)
628 struct dom_sid _dom_sid = { 0, };
629 struct dom_sid *domain_sid = NULL;
631 struct acct_info *info;
634 result->privilege_mask = 0;
635 result->rights_mask = 0;
637 if (result->num_sids == 0) {
638 return NT_STATUS_INVALID_TOKEN;
641 if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
642 status = add_sid_to_array(result, &global_sid_World,
643 &result->sids, &result->num_sids);
644 if (!NT_STATUS_IS_OK(status)) {
647 status = add_sid_to_array(result, &global_sid_Network,
648 &result->sids, &result->num_sids);
649 if (!NT_STATUS_IS_OK(status)) {
655 * Don't expand nested groups of system, anonymous etc
657 * Note that they still get SID_WORLD and SID_NETWORK
658 * for now in order let existing tests pass.
660 * But SYSTEM doesn't get AUTHENTICATED_USERS
661 * and ANONYMOUS doesn't get BUILTIN GUESTS anymore.
663 if (security_token_is_anonymous(result)) {
666 if (security_token_is_system(result)) {
667 result->privilege_mask = ~0;
671 if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
672 status = add_sid_to_array(result,
673 &global_sid_Authenticated_Users,
676 if (!NT_STATUS_IS_OK(status)) {
681 /* Add in BUILTIN sids */
684 ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
686 domain_sid = &_dom_sid;
688 DEBUG(3, ("Failed to fetch domain sid for %s\n",
693 info = talloc_zero(talloc_tos(), struct acct_info);
695 DEBUG(0, ("talloc failed!\n"));
696 return NT_STATUS_NO_MEMORY;
699 /* Deal with the BUILTIN\Administrators group. If the SID can
700 be resolved then assume that the add_aliasmem( S-1-5-32 )
703 status = pdb_get_aliasinfo(&global_sid_Builtin_Administrators, info);
704 if (!NT_STATUS_IS_OK(status)) {
707 status = create_builtin_administrators(domain_sid);
710 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
711 /* Add BUILTIN\Administrators directly to token. */
712 status = add_builtin_administrators(result, domain_sid);
713 if ( !NT_STATUS_IS_OK(status) ) {
714 DEBUG(3, ("Failed to check for local "
715 "Administrators membership (%s)\n",
718 } else if (!NT_STATUS_IS_OK(status)) {
719 DEBUG(2, ("WARNING: Failed to create "
720 "BUILTIN\\Administrators group! Can "
721 "Winbind allocate gids?\n"));
725 /* Deal with the BUILTIN\Users group. If the SID can
726 be resolved then assume that the add_aliasmem( S-1-5-32 )
729 status = pdb_get_aliasinfo(&global_sid_Builtin_Users, info);
730 if (!NT_STATUS_IS_OK(status)) {
733 status = create_builtin_users(domain_sid);
736 if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
737 !NT_STATUS_IS_OK(status))
739 DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
740 "Can Winbind allocate gids?\n"));
745 * Deal with the BUILTIN\Guests group. If the SID can
746 * be resolved then assume that the add_aliasmem( S-1-5-32 )
749 status = pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
750 if (!NT_STATUS_IS_OK(status)) {
753 status = create_builtin_guests(domain_sid);
757 * NT_STATUS_PROTOCOL_UNREACHABLE:
758 * => winbindd is not running.
760 * NT_STATUS_ACCESS_DENIED:
761 * => no idmap config at all
762 * and wbint_AllocateGid()/winbind_allocate_gid()
765 * NT_STATUS_NO_SUCH_GROUP:
766 * => no idmap config at all and
767 * "tdbsam:map builtin = no" means
768 * wbint_Sids2UnixIDs() fails.
770 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
771 NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
772 NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
774 * Add BUILTIN\Guests directly to token.
775 * But only if the token already indicates
776 * real guest access by:
777 * - local GUEST account
778 * - local GUESTS group
779 * - domain GUESTS group
781 * Even if a user was authenticated, it
782 * can be member of a guest related group.
784 status = add_builtin_guests(result, domain_sid);
785 if (!NT_STATUS_IS_OK(status)) {
786 DEBUG(3, ("Failed to check for local "
787 "Guests membership (%s)\n",
790 * This is a hard error.
794 } else if (!NT_STATUS_IS_OK(status)) {
795 DEBUG(2, ("Failed to create "
796 "BUILTIN\\Guests group %s! Can "
797 "Winbind allocate gids?\n",
800 * This is a hard error.
808 /* Deal with local groups */
810 if (lp_winbind_nested_groups()) {
814 /* Now add the aliases. First the one from our local SAM */
816 status = add_aliases(get_global_sam_sid(), result);
818 if (!NT_STATUS_IS_OK(status)) {
823 /* Finally the builtin ones */
825 status = add_aliases(&global_sid_Builtin, result);
827 if (!NT_STATUS_IS_OK(status)) {
835 if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
836 struct dom_sid tmp_sid = { 0, };
838 ok = dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &tmp_sid);
840 return NT_STATUS_NO_MEMORY;
843 status = add_sid_to_array(result,
847 if (!NT_STATUS_IS_OK(status)) {
852 if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
853 if (security_token_has_builtin_administrators(result)) {
854 result->privilege_mask = ~0;
857 /* Add privileges based on current user sids */
858 get_privileges_for_sids(&result->privilege_mask, result->sids,
865 /****************************************************************************
866 prints a UNIX 'token' to debug output.
867 ****************************************************************************/
869 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
870 int n_groups, gid_t *groups)
873 DEBUGC(dbg_class, dbg_lev,
874 ("UNIX token of user %ld\n", (long int)uid));
876 DEBUGADDC(dbg_class, dbg_lev,
877 ("Primary group is %ld and contains %i supplementary "
878 "groups\n", (long int)gid, n_groups));
879 for (i = 0; i < n_groups; i++)
880 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
881 (long int)groups[i]));
885 * Create an artificial NT token given just a domain SID.
889 * unmapped unix users: Go directly to nss to find the user's group.
891 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
893 * If the user is provided by winbind, the primary gid is set to "domain
894 * users" of the user's domain. For an explanation why this is necessary, see
895 * the thread starting at
896 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
899 static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
900 const struct dom_sid *user_sid,
902 uid_t *uid, gid_t *gid,
903 char **found_username,
904 struct security_token **token)
906 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
907 TALLOC_CTX *tmp_ctx = talloc_stackframe();
909 struct dom_sid *group_sids;
910 struct dom_sid tmp_sid;
911 uint32_t num_group_sids;
916 struct dom_sid_buf buf;
918 if (sid_check_is_in_our_sam(user_sid)) {
920 uint32_t pdb_num_group_sids;
921 /* This is a passdb user, so ask passdb */
923 struct samu *sam_acct = NULL;
925 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
926 result = NT_STATUS_NO_MEMORY;
931 ret = pdb_getsampwsid(sam_acct, user_sid);
935 DEBUG(1, ("pdb_getsampwsid(%s) failed\n",
936 dom_sid_str_buf(user_sid, &buf)));
937 DEBUGADD(1, ("Fall back to unix user\n"));
941 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
943 &pdb_num_group_sids);
944 if (!NT_STATUS_IS_OK(result)) {
945 DEBUG(1, ("enum_group_memberships failed for %s: "
947 dom_sid_str_buf(user_sid, &buf),
949 DEBUGADD(1, ("Fall back to unix uid lookup\n"));
952 num_group_sids = pdb_num_group_sids;
954 /* see the smb_panic() in pdb_default_enum_group_memberships */
955 SMB_ASSERT(num_group_sids > 0);
957 /* Ensure we're returning the found_username on the right context. */
958 *found_username = talloc_strdup(mem_ctx,
959 pdb_get_username(sam_acct));
961 if (*found_username == NULL) {
962 result = NT_STATUS_NO_MEMORY;
967 * If the SID from lookup_name() was the guest sid, passdb knows
968 * about the mapping of guest sid to lp_guest_account()
969 * username and will return the unix_pw info for a guest
970 * user. Use it if it's there, else lookup the *uid details
971 * using Get_Pwnam_alloc(). See bug #6291 for details. JRA.
974 /* We must always assign the *uid. */
975 if (sam_acct->unix_pw == NULL) {
976 struct passwd *pwd = Get_Pwnam_alloc(sam_acct, *found_username );
978 DEBUG(10, ("Get_Pwnam_alloc failed for %s\n",
980 result = NT_STATUS_NO_SUCH_USER;
983 result = samu_set_unix(sam_acct, pwd );
984 if (!NT_STATUS_IS_OK(result)) {
985 DEBUG(10, ("samu_set_unix failed for %s\n",
987 result = NT_STATUS_NO_SUCH_USER;
991 *uid = sam_acct->unix_pw->pw_uid;
993 } else if (sid_check_is_in_unix_users(user_sid)) {
994 uint32_t getgroups_num_group_sids;
995 /* This is a unix user not in passdb. We need to ask nss
996 * directly, without consulting passdb */
1001 * This goto target is used as a fallback for the passdb
1002 * case. The concrete bug report is when passdb gave us an
1008 if (!sid_to_uid(user_sid, uid)) {
1009 DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n",
1010 dom_sid_str_buf(user_sid, &buf)));
1011 result = NT_STATUS_NO_SUCH_USER;
1015 uid_to_unix_users_sid(*uid, &tmp_sid);
1016 user_sid = &tmp_sid;
1018 pass = getpwuid_alloc(tmp_ctx, *uid);
1020 DEBUG(1, ("getpwuid(%u) failed\n",
1021 (unsigned int)*uid));
1025 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
1026 &gids, &getgroups_num_group_sids)) {
1027 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
1031 num_group_sids = getgroups_num_group_sids;
1033 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1034 if (group_sids == NULL) {
1035 DEBUG(1, ("talloc_array failed\n"));
1036 result = NT_STATUS_NO_MEMORY;
1040 for (i=0; i<num_group_sids; i++) {
1041 gid_to_sid(&group_sids[i], gids[i]);
1044 /* In getgroups_unix_user we always set the primary gid */
1045 SMB_ASSERT(num_group_sids > 0);
1047 /* Ensure we're returning the found_username on the right context. */
1048 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
1049 if (*found_username == NULL) {
1050 result = NT_STATUS_NO_MEMORY;
1055 /* This user is from winbind, force the primary gid to the
1056 * user's "domain users" group. Under certain circumstances
1057 * (user comes from NT4), this might be a loss of
1058 * information. But we can not rely on winbind getting the
1059 * correct info. AD might prohibit winbind looking up that
1062 /* We must always assign the *uid. */
1063 if (!sid_to_uid(user_sid, uid)) {
1064 DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n",
1065 dom_sid_str_buf(user_sid, &buf)));
1066 result = NT_STATUS_NO_SUCH_USER;
1071 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1072 if (group_sids == NULL) {
1073 DEBUG(1, ("talloc_array failed\n"));
1074 result = NT_STATUS_NO_MEMORY;
1078 gids = talloc_array(tmp_ctx, gid_t, num_group_sids);
1080 result = NT_STATUS_NO_MEMORY;
1084 sid_copy(&group_sids[0], user_sid);
1085 sid_split_rid(&group_sids[0], NULL);
1086 sid_append_rid(&group_sids[0], DOMAIN_RID_USERS);
1088 if (!sid_to_gid(&group_sids[0], &gids[0])) {
1089 DEBUG(1, ("sid_to_gid(%s) failed\n",
1090 dom_sid_str_buf(&group_sids[0], &buf)));
1094 *found_username = NULL;
1099 /* Add the "Unix Group" SID for each gid to catch mapped groups
1100 and their Unix equivalent. This is to solve the backwards
1101 compatibility problem of 'valid users = +ntadmin' where
1102 ntadmin has been paired with "Domain Admins" in the group
1103 mapping table. Otherwise smb.conf would need to be changed
1104 to 'valid user = "Domain Admins"'. --jerry */
1106 num_gids = num_group_sids;
1107 range_ok = lp_idmap_default_range(&low, &high);
1108 for ( i=0; i<num_gids; i++ ) {
1109 struct dom_sid unix_group_sid;
1111 /* don't pickup anything managed by Winbind */
1112 if (range_ok && (gids[i] >= low) && (gids[i] <= high)) {
1116 gid_to_unix_groups_sid(gids[i], &unix_group_sid);
1118 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
1119 &group_sids, &num_group_sids);
1120 if (!NT_STATUS_IS_OK(result)) {
1125 /* Ensure we're creating the nt_token on the right context. */
1126 result = create_local_nt_token(mem_ctx, user_sid,
1127 is_guest, num_group_sids, group_sids, token);
1129 if (!NT_STATUS_IS_OK(result)) {
1133 result = NT_STATUS_OK;
1135 TALLOC_FREE(tmp_ctx);
1140 * Create an artificial NT token given just a username. (Initially intended
1143 * We go through lookup_name() to avoid problems we had with 'winbind use
1148 * unmapped unix users: Go directly to nss to find the user's group.
1150 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
1152 * If the user is provided by winbind, the primary gid is set to "domain
1153 * users" of the user's domain. For an explanation why this is necessary, see
1154 * the thread starting at
1155 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
1158 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
1160 uid_t *uid, gid_t *gid,
1161 char **found_username,
1162 struct security_token **token)
1164 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
1165 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1166 struct dom_sid user_sid;
1167 enum lsa_SidType type;
1169 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
1170 NULL, NULL, &user_sid, &type)) {
1171 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
1175 if (type != SID_NAME_USER) {
1176 DEBUG(1, ("%s is a %s, not a user\n", username,
1177 sid_type_lookup(type)));
1181 result = create_token_from_sid(mem_ctx, &user_sid, is_guest, uid, gid, found_username, token);
1183 if (!NT_STATUS_IS_OK(result)) {
1188 * If result == NT_STATUS_OK then
1189 * we know we have a valid token. Ensure
1190 * we also have a valid username to match.
1193 if (*found_username == NULL) {
1194 *found_username = talloc_strdup(mem_ctx, username);
1195 if (*found_username == NULL) {
1196 result = NT_STATUS_NO_MEMORY;
1201 TALLOC_FREE(tmp_ctx);
1205 /***************************************************************************
1206 Build upon create_token_from_sid:
1208 Expensive helper function to figure out whether a user given its sid is
1209 member of a particular group.
1210 ***************************************************************************/
1212 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid)
1217 char *found_username;
1218 struct security_token *token;
1219 bool result = false;
1220 enum lsa_SidType type;
1221 TALLOC_CTX *mem_ctx = talloc_stackframe();
1222 struct dom_sid_buf buf;
1224 if (!lookup_sid(mem_ctx, sid,
1225 NULL, NULL, &type)) {
1226 DEBUG(1, ("lookup_sid for %s failed\n",
1227 dom_sid_str_buf(sid, &buf)));
1231 if (type != SID_NAME_USER) {
1232 DEBUG(5, ("%s is a %s, not a user\n",
1233 dom_sid_str_buf(sid, &buf),
1234 sid_type_lookup(type)));
1238 status = create_token_from_sid(mem_ctx, sid, False,
1239 &uid, &gid, &found_username,
1242 if (!NT_STATUS_IS_OK(status)) {
1243 DEBUG(10, ("could not create token for %s\n",
1244 dom_sid_str_buf(sid, &buf)));
1248 result = security_token_has_sid(token, group_sid);
1251 TALLOC_FREE(mem_ctx);
1255 /***************************************************************************
1256 Build upon create_token_from_username:
1258 Expensive helper function to figure out whether a user given its name is
1259 member of a particular group.
1260 ***************************************************************************/
1262 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid)
1267 char *found_username;
1268 struct security_token *token;
1270 TALLOC_CTX *mem_ctx = talloc_stackframe();
1272 status = create_token_from_username(mem_ctx, username, False,
1273 &uid, &gid, &found_username,
1276 if (!NT_STATUS_IS_OK(status)) {
1277 DEBUG(10, ("could not create token for %s\n", username));
1278 TALLOC_FREE(mem_ctx);
1282 result = security_token_has_sid(token, group_sid);
1284 TALLOC_FREE(mem_ctx);
1288 bool user_in_group(const char *username, const char *groupname)
1290 TALLOC_CTX *mem_ctx = talloc_stackframe();
1291 struct dom_sid group_sid;
1294 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1295 NULL, NULL, &group_sid, NULL);
1296 TALLOC_FREE(mem_ctx);
1299 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1303 return user_in_group_sid(username, &group_sid);
git.samba.org / gd / samba-autobuild / .git / blob